[tex-live] tlmgr: Package verification

Norbert Preining norbert at preining.info
Wed Jan 24 05:00:32 CET 2018

Hi Philipp,

(btw, removing Martin, he is anyway on the list I guess)

> I'd like to help here, but I haven't had an idea so far how it could
> be made clearer.

If I have some spare time, I will try to write up more details, but I am
not sure whether the tlmgr man page is the correct place.

> > Without --no-verify-downloads you will always get the main repository
> > checked, which cannot be turned off with --no-require-verification.
> > But with --no-verify-downloads even the main repo is not checked.
> Is this the only case where it makes a difference? I can't even guess

Wellm these are conceptionally two different things: The one controls
whether checks should be made, the other controls whether missing
signatures should be treated as errors or not.

Thus there are more differences: With --no-verify-downloads, nothing is
done, and no gpg available or so is reported. While without it, the
signature status (no signature, missing public key, ...) is reported.

> texlive.tlpdb.somehash files). To my surprise, the hash wasn't found
> anywhere.

Indeed, there are a lot of components playing into, one being that the
logging of checksum was not done in all places :-((( Sorry for that.
The other thing was that the actual packages were only checked against
the sizes and not the checksum, due to some refactoring at some point
(renaming the checksum data from containermd5 to containerchecksum).

This has been fixed now in the subversion repository and will be pushed
out rather soon. Now with -v tlmgr would spit out something like this:

D:tlpdb:_install_data: what=/home/norbert/public_html/tlnet/archive/collection-latexextra.tar.xz, target=/home/norbert/tl/2017/texmf-dist, size=5504, checksum=6e72d01334e032e927d1ccc06e50766d6d151e20e6d6997a3c4e2950b73bc082bce773a946930b9db9ec20f323a88a2d242f0cb012998a258fc4244de546fb33, tmpdir=/tmp/UQNV4diBME/lzqy7LKVuv
D:check_file /tmp/UQNV4diBME/lzqy7LKVuv/collection-latexextra.tar.xz, 6e72d01334e032e927d1ccc06e50766d6d151e20e6d6997a3c4e2950b73bc082bce773a946930b9db9ec20f323a88a2d242f0cb012998a258fc4244de546fb33, 5504
D:tlchecksum(/tmp/UQNV4diBME/lzqy7LKVuv/collection-latexextra.tar.xz): ===6e72d01334e032e927d1ccc06e50766d6d151e20e6d6997a3c4e2950b73bc082bce773a946930b9db9ec20f323a88a2d242f0cb012998a258fc4244de546fb33===
D:TLUtils::check_file: checksums for /tmp/UQNV4diBME/lzqy7LKVuv/collection-latexextra.tar.xz agree
D:un-xzing /tmp/UQNV4diBME/lzqy7LKVuv/collection-latexextra.tar.xz to /tmp/UQNV4diBME/lzqy7LKVuv/collection-latexextra.tar

Big thanks for your insistance which pointed me at insufficiencies *and*
bugs in the code!!!!



PREINING Norbert                               http://www.preining.info
Accelia Inc.     +    JAIST     +    TeX Live     +    Debian Developer
GPG: 0x860CDC13   fp: F7D8 A928 26E3 16A1 9FA0 ACF0 6CAC A448 860C DC13

More information about the tex-live mailing list